[e-lang] Public names

Nick Szabo e-lang@mail.eros-os.org
Tue, 11 Mar 2003 10:14:39 +0000 (GMT) 

markm writes:
> The fatal goal: A global namespace of human readable names that would
> be secure and collision free. This goal cannot be achieved. In
> seeking the impossible, DNS sacrificed
> decentralization, and thereby sacrificed security. By contrast,
> in a Pet Name system
> <http://www.erights.org/elib/capability/pnml.html> , the human
> readable names aren't globally
> unique, and are indeed managed at the endpoints rather than in
> the infrastructure.

The goal of unique, secure, and public human readable
names -- and specifically mappings of such names to
computer-readable information needed by users who
cannot be individually identified by the owner of that
name and information -- both must be achieved and in fact
can be achieved.

The DNS consists of a mapping of human-readable names to IP addresses.
Ignoring for a moment the current central allocation of domain names,
this mapping is initially known only to the owner of the IP address.
The owner expresses the mapping by (a) publishing, in any human-readable
media, a particular domain name for people to read and pass on and access
her service, and (b) obtaining a particular IP address.    It is the
owner of the IP address and the service at that address, not anybody
else, who chooses the name and mapping.   That choice need be
constrained only by the name's public uniqueness.  Communicating
the owner's chosen mapping with integrity to the end user  is
critical to her service's accessibility and integrity.

A end user can learn of the name through a variety of channels such as
another web site, e-mail, or other media.    The user's software
then needs to map this name to the IP address its owner intends
it to correspond to.  Substituting a "pet name" made
up by the end user for the name by which the service is
widely known is worse than pointless; it is infeasibly confusing.
The user wants to remember and contact the service using the
name he has read in the media and by which he tells others how
to locate the service.  It is also the name by which the user's
software can figure out the address without the user's
wasting thought and intervention on each of hundreds of such service
contacts that might be made in a given month.

Calling the mapping intended by the owner a "hint" obscures the
fact that the integrity of this "hint" is vital to this process whereby
the end user learns about the unique service and its unique name,
and then contacts the service over the Internet.   Spoof this "hint" and
the user will contact a service perhaps very different from what he
intended by using the "hint" and the owner intended by publishing
the "hint".   It may look the same to the user, though.  The security of
both the service owner and the end user can thus be compromised
by a bad "hint".

Thus global domain name to IP address mappings are far more
than "hints".  They are things like property boundaries that we
must come to widespread or public agreement on.   We need
to have high integrity in such public name mappings.   I
describe how to do a secure decentralized public name space at

http://szabo.best.vwh.net/securetitle.html



Nick Szabo
http://www.best.com/~szabo/